VMware Horizon: fix for "AD_USER_OR_GROUP_NOT_FOUND" error


When you try to access the Users and Groups > Remote Access section in VMware Horizon you receive the error "AD_USER_OR_GROUP_NOT_FOUND".

This error doesn't display current entitled users and it is due to a user or group not found in your Connection Server.


Before proceeding with the fix, it is strongly recommended to take a snapshot of the Connection Server.



To troubleshoot this error, first you must take a look at the logs located in C:\ProgramData\VMware\VDM\logs.

Open the last debug-xxx-xx-xx-xxxxxx.txt file and find the AD_USER_OR_GROUP_NOT_FOUND string. Once the string has been found, in the log look at the following entry:

id = UserOrGroup/xxxxxxxxxxxxxxxxx
e.i. id = UserOrGroup/Uy0xLTUtMjEtNDA1MzYwNDI1LTQxNzYwNjc5MDItMjQ5ODUxMDkyMy0yMTY4


Copy the value after the id = UserOrGroup/ string that indicates the string format of the user or group SID.


Using your preferred browser, enter the address https://www.cmd5.com/ to access an online tool to convert a string-format security identifier (SID) into a valid, functional SID. Paste the previously copied string in the first field and click on the button to get the valid SID.


This is the SID of the user or the group that is causing the AD_USER_OR_GROUP_NOT_FOUND error and must be deleted from the ADAM database in the Connection Server.

From the Connection Server, open the ADSI Edit tool, right click ADSI Edit and select Connect to.


In the Connection Settings windows enter the following parameters:

  • In the Select or type a Distinguished Name or Naming Context text box, enter DC=vdi, DC=vmware, DC=int
  • In the Select or type a domain or server text box, type localhost:389

Click OK when done.


Expand DC=vdi,dc=vmware,dc=int and select CN=ForeignSecurityPrincipals item. In the right pane search for the corresponding SID (in the example CN=S-1-5-21-405360425-4176067902-2498510923-2168).


When the entry has been found, right click the CN value and select Delete.


Click Yes to confirm.


Now if you try to access the Remote Access area in your Connection Server, the configured users and groups are now displayed properly.


The problem has been fixed e the system functionality restored.